Repetitive Spyware Infections, Assistance Greatly Appreciated

Hello,

Previous visitor to this forum, yet I finally registered last night and hoped I could be the proud recipient of some of this wonderful talent in relation to possible spyware/malware

infections on my laptop. I followed the instructions of programs to run prior to posting last night, and ran all of them (that were still valid links). Here is a synopsis of what brings me

here.

Got a new Dell XPS Generation II laptop which I use daily. I used to run my 7mb Cable internet through a NETGEAR wireless router, with no protection. I know, I know, I know. But at

that time, I clearly did not know. I am almost positive my neighbor was riding my connection, and almost equally as sure he may have been the person who placed the later mentioned WINSPY on

my system just before he left for college. About 1 1/2 months ago, I found that there was a version of WINSPY running on my PC for an unknown period of time, and of course Norton wasnt

picking it up. I have no idea how much data I may have lost, but it is nothing short of troubling when I think about it. After finding out about this infection, I got up with the makers of

WINSPY, and when I explained the circumstances to them, they assisted me in the removal of same by giving me two programs to use. Worked great, but I never confirmed who did this to me.

I did a fresh install of Windows XP SP2 Media Center Edition anyways. So, I tried (with no success) to protect my wireless connection via encryption, WPK, WKA, or whatever they are

called, and even had my key change every 30 minutes. As well, my router did not broadcast its location, for lack of the correct technical term. Well, in no time at all, a version of Perfect

Keylogger appears on my PC, and then different Viruses almost all at once. Tried with no success to fix it, and eventually lost all my data on my HD, and just about gave up. Before I lost

it all, I lost all control. Someone had been able to go all in my system, making priviledges to items to where I didnt even have access. Crazy stuff like creating "hidden volumes" on my

single harddrive, setting up controls where my login name only had access to X amount of harddrive space.... really wierd.

Another fresh install anyways, and now a very long cable from my cable modem to the living room with my laptop (LOL). No more wireless for me, and that I hate. I installed several

different programs to try and avoid these insanely menacing programs that I have had problems with. And that leads me to here and now.

I am just up and running on this laptop that I adore, but have not been able to enjoy hardly for all these problems. I am getting error messages, and puzzling prompts, etc during

the opening, running, and closing of windows. This really bothers me as I have concern that I may not have a reliable and relatively safe way to surf the net. I will list anything that I

can think of initially and will gladly follow the instructions given by anyone who is willing and able to assist me. That includes the purchase of the suggested products/programs/software

that will help me surf in peace. Thank you in advance for any and all help.

Please assist me in my concerns over the below described incidents, and if possible, assist me in taking the rights steps to insure that I can surf in peace without fear of further

infection or intrusion. Thank you again.

My PC basic information:

About 5 month old Dell "XPS Generation II" laptop (love it)
80 gig , 7200 rpm hd
2 gig ram
Nvidia (?) graphics card
(I dont know all the details, but I can get them if needed)



I have currently installed:

Ghostsurf 2006 Platinum (w/ Spy Catcher)
Webroot Spy Sweeper
Webroot Desktop Firewall
Norton Internet Security 2005
(HAD INSTALLED) Webroot Window Washer (Now uninstalled, as it seems to create more problems than anything)


Symptoms:



When windows initially loads:

Sonic Update Manager tries to load/install. I hit cancel , it asks for a CD ( "Insert the "Sonic Update Manager" disk and click OK "). I click cancel, and it tries again. When asking

for a CD, in the "browse" window by default the "source" for same is listed as nothing but " 1 ". After many tries it (appears) to give up. It eventually says "An installation package for

the product Sonic Update Manager cannot be found. Try the installation again using a valid copy of the installation package 'UM.MSI'.

Next, about 25% of the time, "Spy Sweeper" says that it has stopped a program from logging keystrokes. It further says it is "Apoint.exe" (which came directly off my Dell resource CD), and

works with the functioning of the "mouse" on my laptop. This, I REALLY don't get. "Spy Sweeper" often tells me it has found three files that MAY be a rootkit and show me three internal

files that are in the program Ghostsurf 2006 Platinum (w/ Spy Catcher).

Also, "Spy Catcher" (part of the "GhostSurf 2006 Platinum package), was stopping a program that I think was named msmsg.exe, or something like that. I know it has something to do with

messaging, but nothing to do with "Windows Messenger ". It no longer prompts for that, and that concerns me.

Something that further concerns me is files I see in Windows where there is like a "Mail drop" envelope like icon with other items, and I just dont get that.



When windows is running:

I often get some message similar to "Do you want to allow nmain to install ole32.dll" or something almost exactly like that.
And just today, I got an unknown type message asking if I would allow viewmgr (?) to install


When Windows is closing/shutting down:

When I shut down, I always get a "End Program" box for "Available Networks ", like it is a non-responding program. I have to hit "end now ". And about half of the time when it shuts down, I

get the same as above for a file named "ZcfgSvc.exe" (appears to be from "C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe ") and I respond in the same way (I do not use my wireless anymore,

and thought I had them turned off. This is because of fear that my previous infections came via my unprotected wireless connection. (My PC has the built in wireless card, as well as

bluetooth. I am not (trying) to use them.) The system can then shut down or restart.

Lastly, reference Microsoft .net framework, sql stuff, and wireless stuff (including bluetooth) is there a safe way to disable these without any negative effects? Just curious, because

those are a couple of the things on this OS that I suspect may have been used to assist the aforementioned spyware programs. Or/And.... is this a safe way to surf wirelessly? Thanks!



Logfile of HijackThis v1.99.1
Scan saved at 9:41:33 PM, on 11/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\WINDOWS\system32\notepad.exe
C:\AntiSpyware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wraltv.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wraltv.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2006 Platinum\SCActiveBlock.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2006 Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2006 Platinum\DeleteSatellite.exe "
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: ImageFox.lnk = C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2006 Platinum\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2006 Platinum\Proxy.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\GhostSurf 2006 Platinum\Protector.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1132217360203
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Desktop Firewall Data Service (WebrootDesktopFirewallDataService) - Webroot Software, Inc. - C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
O23 - Service: Webroot Desktop Firewall (WebrootFirewall) - Unknown owner - C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

 

Hello XPS_Gen_II,

First thing to do before anything else is to look at your startups and see what they are and whether they are needed. An example is the Sonic Updater, its stupid and has no need to be running in the background.

Go here http://www.windowsbbs.com/showthread.php?t=39425 for the links to data bases on startups/processes info. As far as I can tell, the messages you're getting are from/about "legitimate" programs that are running amok, thats why I put legitimate in quotes.

Regards - Charles